If your company handles payment transactions of any type, then you’re familiar with the Payment Card Industry Data Security Standard (PCI DSS)—a group of security standards designed to create and maintain a secure environment for any company that accepts, processes, stores, or transmits credit card information.
Because we provide tools for application security, we will focus primarily on how this regulation affects companies building applications.
We have found that many organizations are unclear on the requirements of PCI scans or how to properly conduct them on their applications. Protect your reputation and your customers (while avoiding hefty fines) with this in-depth look at the right way to perform PCI compliance scans.
What is PCI and does it apply to your business?
PCI DSS is the security standard for credit and debit card transactions and protecting consumers against misuse of their personal and sensitive information. The standard is a robust document outlining the steps required to create a secure payment card data security process.
While we don’t have time to delve into every detail in PCI DSS, we would like to point out some of the most important information in the document. The PCI DSS applies to any organization that accepts, transmits, or stores any cardholder data, regardless of the size or number of transactions.
There are four compliance levels, based on the volume of transactions over a 12-month period. Level 1 applies to any organization processing more than 6 million transactions per year; the other levels apply to lower ranges of transaction volume. Each level comes with its own set of requirements, which becomes more robust as you move up from Level 4 to Level 1.
Using a third-party provider to process credit card transactions does not exempt your organization from PCI DSS compliance. This is a common misconception that we want to draw extra attention to. It is still your responsibility to be compliant. Additionally, using Secure Sockets Layer (SSL) does not make your business PCI compliant. This is one step in the process, but it is not enough.
Penalty fines can range from $5,000 to $100,000 per month until compliance is achieved. This is enough to force smaller businesses to shut down.
The PCI DSS standard defines cardholder data as the full Primary Account Number (PAN) along with any of the following:
- Cardholder name, expiration date, or service code
- Additional Sensitive Authentication Data, such as magnetic stripe data and PINS must also be protected
There are specific PCI DSS requirements pertaining to software applications that are worth noting:
- Develop software applications based on industry best practices and incorporate security throughout the software development lifecycle.
- Review custom code and any third-party libraries prior to release to production or customers in order to identify any potential coding vulnerability.
- Develop all web applications based on secure coding guidelines, such as the Open Web Application Security Project Guidelines.
- Ensure that all web-facing applications are protected against known attacks by either of the following methods:
- Having all application code reviewed for common vulnerabilities by an organization that specializes in application security.
- Installing an application-layer firewall in front of web-facing applications.
If you qualify for certain Self-Assessment Questionnaires (SAQs) or you electronically store cardholder data after authorization, you are required to conduct a quarterly PCI scan. The scan must be performed by an Approved Scanning Vendor (ASV). More details on PCI compliance scans are provided below.
PCI compliance scans: What are they and how to properly conduct them
A PCI vulnerability scan identifies security threats (vulnerabilities) in your application. Any issues that are identified should be addressed immediately.
Some of the most common web application attacks that PCI scans protect you from are:
- Cross-site scripting (XSS)–This is one of the most common vulnerabilities in web applications. It allows attackers to execute scripts in the visitor’s browser on behalf of a vulnerable website, unbeknownst to the user. They can be redirected to malicious sites or made subject to other malicious activity, such as having their cookies stolen.
- SQL Injections–This type of attack involves the insertion of a SQL query into the application so the attacker can read sensitive data from the database, modify database data, or perform other malicious activity.
PCI compliance scans are covered in requirement 11 of the PCI DSS standard, which focuses on network and application security. The requirement states that scans must be run quarterly. In other words, your scans must be running and passing at least every 90 days—and you must submit a summary of your passing scans.
If your scan fails, you must rescan once you have corrected the issues and verify that a passing result has been obtained or that all high-level vulnerabilities have been resolved. The PCI DSS standard identifies five levels of vulnerabilities, ranging from low to urgent. A high-level vulnerability is any issue that falls within levels three through five. (Consult the PCI DSS standard for additional details on the specific vulnerabilities within each level.)
It is also important to note that if you make any significant changes to your application within those 90 days, you need to run a new scan to make sure no new vulnerabilities were introduced.
The 90-day window is the minimum; we strongly recommend running scans more frequently. Failure to conduct regular PCI scans can result in fines for noncompliance and damage to your business.
You can lose your ability to accept credit cards if you lose you merchant status. Worse, if you suffer from an attack, your company’s reputation may never recover.
Scans must be performed by an Approved Scanning Vendor that offers the necessary services and tools to conduct the external vulnerability scanning required under PCI DSS.
A Scanning Vendor’s solution is tested and approved by the PCI Security Standards Council (SSC) before it is added to the list of approved vendors. The current list of Approved Scanning Vendors is available for reference.
Tips for successful PCI compliance scans include the following:
Build a team of dedicated individuals
Even if your team is small, more than one person should be in charge of making sure the PCI compliance scan process is done properly and on a regular basis. Leaving this responsibility in the hands of just one person is asking for problems.
Just because the requirement is every 90 days, that does not mean it is the best approach for your business. There is no hard and fast rule, but scan frequency should make sense for your application and organization. Issues to consider include transaction volume and how frequently you make changes to the application (more changes equal more frequent scans).
The more often you conduct scans, the faster you identify issues and address them before they are exploited by an attacker. Frequent scans also remove the potential for failing to meet the quarterly PCI requirement.
Perform both external and internal vulnerability scans
An external vulnerability scan simulates an attack from the outside of your application, identifying ways an external attacker can get into the system. An internal vulnerability scan checks your internal network for vulnerabilities. Both types of scans are required for PCI compliance.
An important note here is that your ASV provider is not responsible for handling your PCI internal vulnerability scan—you are. There are tools that can automate the internal scan process for you, checking your application codebase against PCI DSS requirements and flagging violating lines of code. The exact violation is displayed, along with a recommendation on how to correct it.
This tool saves organizations hours upon hours of work, while increasing application security and PCI DSS compliance. You have confidence your code is violation-free, with the added benefit of having more time to focus on improving your application rather than worrying about compliance.
Act quickly on failed scans
If your application fails a scan, you must act immediately. You have to provide proof of a passing scan every 90 days, so you must remediate vulnerabilities right away, especially high-level issues. Quick remediation also protects your customers’ sensitive data and your reputation.
It may be tempting to do the bare minimum required for PCI compliance scans, but this will not yield a successful outcome. Comprehensive application security testing on a frequent basis gives you the best chance for success.
PCI DSS compliance may seem like a headache, but the requirements are there to protect both your customers and your business. Adhering to these regulations with regular PCI compliance scans makes sure your application is secure and your customers’ sensitive data is protected. In our experience, a secure application is a successful one, making PCI compliance scans a necessary step for a reliable and frequently-used application.
The most recent version of the PCI DSS standard is available here, along with a document outlining the changes made to the previous version.